| 제목 | Assimp commit 17c12da Double Free |
|---|
| 설명 | A critical double-free memory corruption vulnerability exists in Assimp Library's PLY model parsing and exporting module. The flaw stems from conflicting memory ownership management of aiScene and aiMesh objects during model loading and exporting operations. When loading a maliciously crafted PLY model file via Assimp::Importer::ReadFileFromMemory and directly passing the returned const aiScene* object to Assimp::Exporter::ExportToBlob, duplicate memory release operations are triggered. The ExportToBlob function takes ownership of the scene object through std::unique_ptr<aiScene> and frees the associated aiMesh memory during pointer destruction. Subsequently, the Assimp::Importer destructor attempts to free the already released mesh memory again, resulting in a valid double-free corruption. This vulnerability occurs due to unreasonable memory ownership rules between the importer and exporter modules, causing redundant release of heap memory allocated by the PLY format loader. Remote attackers can exploit this flaw by supplying a malformed PLY model file, triggering memory corruption and program crash to cause a denial-of-service (DoS) condition, and potentially enabling arbitrary code execution or sensitive memory information disclosure. |
|---|
| 원천 | ⚠️ https://github.com/assimp/assimp/issues/6620 |
|---|
| 사용자 | TYGLS (UID 94774) |
|---|
| 제출 | 2026. 06. 01. AM 08:11 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 03. PM 03:44 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376112 [Open Asset Import Library Assimp 까지 6.0.4 PLY Model PlyLoader.cpp ExportToBlob 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|